Comment on "Quantum string seal is insecure" 
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Recently an attack strategy was proposed by Chau [H. F. Chau, quant-ph/0602099 v3], which was 
claimed to be able to break all quantum string seal protocols, including the one proposed by He [G. 
P. He, Int. J. Quant. Inform. 4, 677 (2006)]. Here it will be shown that the information obtained 
in He's protocol by the attack is trivial. Thus Chau's conclusion that all quantum string seals are 
insecure is wrong. It will also be shown that some other claims in Chau's paper are inaccurate 
either. 



O 
O 

(N 
O 

Q 



o 

(N 
O 

S3 

Ok 

^— > ■ 

G ■ 
cd 

3 : 
cr 



PACS numbers: 03.67.Dd, 03.67.Hk, 89.20.Ff, 89.70.+C 

In a recent paper Chau claimed that all quantum 
string seals are insecure. The core of Chau's attack strat- 
egy is the measurement 



Q lQ = al + b \i) (i\ 



(1) 



(see Eq. (29) of that reference). It was claimed that with 
this measurement, the attacker can obtain non-trivial in- 
formation on the sealed string while escapes the verifier's 
detection with at least 50% chance. However, the paper 
concentrated only on the fidelity of the sealed state corre- 
sponding to the attacker's measurement, without provid- 
ing a detailed evaluation on the amount of information 
obtained by the attacker. Here it will be shown that for 
a class of quantum string seal protocols including the one 
proposed by He [2j, this amount of information is only 
trivial. Therefore in contrast to Chau's claim, quantum 
string seal can be unconditionally secure. 

In fact, the general proof on why Chau's attack strat- 
egy fails had already been well addressed in Ref. 
Briefly, consider a simple model of imperfect quantum 
string seal, in which the sealed state for the message %' is 
taken as 



4>i 



j' 



(2) 



where the notation is the same as that in Eq. (1) of Rcf. 
Applying the measurement Qio on it yields 



Q 
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Thus the probability for the message i' to be decoded as 
i by the attacker is 



Pi>i = a 2 + {2ab + b 2 )X 
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where v is defined by Eq. (12) of Ref. 0). According to 
Sec. IV of Ref. [U, by fixing v — 1/2, the attacker can 
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escapes the verifier's detection at least half of the time, 
so that all quantum seals are claimed to be insecure. But 
in this case, the above equation becomes 



Pi 
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(5) 



It means that any one of the iV possible choices of the 
message i' has at least the probability 1 / (27V) to be de- 
coded as message i, even if its content is completely ir- 
relevant with i. In other words, whenever the attacker 
obtains a message i via the measurement strategy, there 
is at less a probability pi — JV, 1/(2 V) — 1/2 that the 
original message can be anything, i. e., the amount of 
information he obtained is zero. Thus it can be seen 
that the attack strategy is useless. Though at half of the 
time it can escape the verifier's detection, the amount of 
information obtained on the sealed message is only triv- 
ial. Therefore Chau's claim that all quantum seals are 
insecure is wrong. 

Now it will be shown that the protocol proposed in Ref. 
is indeed such a secure quantum string seal. In this 
protocol, to seal a string i' = i' 1 i' 2 ...i' m ... (i' m S {0,1}), 



the sealed state is taken as 



where 



ipy ) = cos0 m \i' m ) + sin0 m \i' m ). Thus by taking 



0, 



(6) 



where f m (9m) is cos# m (sin# m ) if the m-th bit of the 
string j' equals to (does not equal to) that of the string 
i', we can see that the protocol belongs to the class of 
quantum string seal described by Eq. @. Therefore 
as shown above, it cannot be broken by Chau's attack 
strategy. 

In Sec. IV of Ref. pj, it was claimed that "the ma- 
jor loophole in He's proof of the security of his quantum 
string seal in Ref. [2] is that he incorrectly assumed that 
measuring all the qubits is the only method to obtain a 
significant portion of information of the sealed message" . 
But this is obviously incorrect. In the paragraph before 
Eq. (5) of Ref. [2|, it was clearly written that the gen- 
eral security proof starts as follows. Let H denotes the 
2" dimensional Hilbert space where the sealed state lives 



2 



in, and V denotes the space where the final state lives in 
after the attacker performs certain POVMs. Note that 
no restriction was ever put on V. V can even equal to H 
if the attacker's POVMs do not contain any projection 
operator which will make the sealed state collapse. Thus 
every possible case is covered by the security proof fol- 
lowing that paragraph. There is no such assumption as 
mentioned in Chau's claim. 

It was also claimed in the same section of Ref. [l[ 
that the analog of the attack strategy proposed in Ref. 
[H is not optimal. In this analog, the attacker needs no 
quantum computer to perform the collective measure- 
ment in Eq. (fTJ). He can simply toss a coin to decide 
his action. At half of the cases he performs the hon- 
est measurement suggested by the quantum string seal 
protocol and reads the string, while at the other half of 
the cases he does nothing. This is completely equivalent 
to the v — 1/2 case of Chau's attack strategy, because 
substituting v = 1/2 into Eq. ([1]) gives 
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Due to the linearity of quantum mechanics, we can see 
that applying the measurement Qio (i = 0,...,N — 1) 
on the sealed state is equivalent to applying the identity 
operator / (which actually means doing nothing) with 
the probability 1/2. The merit of the analog is that it 
can help us understand clearly why Chau's attack can 
escape the verifier's detection at half of the cases - simply 
because the attacker has done nothing at these cases. 
More generally, by tossing a biased coin, the attacker 
can have a corresponding analog of Chau's strategy for 
any v value. Therefore Chau's claiming that the analog 
of the attack strategy is not optimal sounds confusing. It 
seems to indicate that the optimal strategy should have 
v = 1 instead of v = 1/2. If so, Eq. fl} becomes 

Q.o = \%) (i\ ■ (8) 

Then Eq. §3§ shows that after applying on t/v \ , the 

final state will collapse to \i) with the probability A?^. 
Thus the average fidelity of the final state is Yli^t'i' 
which is arbitrarily small as N increases. Therefore it 
cannot escape the verifier's detection. That is, the re- 
sults in Ref. [l[ corresponding to different v values in 



fact shows that if the amount of information obtained by 
the attack measurement is optimized, the probability of 
escaping the detection will be trivial, or vice versa. In 
either case, Chau's strategy is not a successful attack. 

In addition, there is also a misleading claim in the 
introduction of Ref. [l[ (which also appeared in Ref. 
0). It was claimed that the security bounds of imper- 
fect quantum single bit seal obtained by He [5j are not 
tight, while Chau proved that all imperfect quantum bit 
seals are insecure, and obtained a greater lower bound 
[Hi- But in fact, Chau's model of quantum bit seal stud- 
ied in Ref. [3] is less general than that of He's in Ref. 
0, and Chau's bound is not tighter. More rigorously, 
in He's model, measuring the sealed states can result in 
three outcome sets Go, G\ and {g £ Go U GJ, where 
Go and Gi are corresponding to the decoded bit values 
and 1 respectively, while {g £ Go U Gi} tells the reader 
that the decoding fails Also, the maximum proba- 
bility a for the sealed bit b to be read correctly can be 
kept secret from the reader. Let (3 denotes the prob- 
ability for the reading operation to be detected by the 
verifier. By proposing an explicit cheating strategy, two 
security bounds (3^1/2 and a + (3 < 9/8 were obtained 
in Ref. @. But in Ref. Chau's model covers a spe- 
cial case of He's model only, where {g £ Go U Gi} = 
and a (denoted as g max in that reference) is known to 
the reader (otherwise his cheating measurement cannot 
be constructed). The lower bound for the fidelity of the 
resultant state (equivalent to 1—0) was also found, which 
was said to be greater than 1/2. But in fact, the greater 
lower bound is achieved only when the amount of infor- 
mation obtained by the cheater drops. From the analog 
of the attack strategy proposed in Ref. [3(] it can easily 
be seen that this result is not significant, because if the 
cheater reads the sealed bit only with a small probability, 
the fidelity of the resultant state is surely greater. Also, 
the result is in agreement with f3 ^ 1/2, while no analog 
to the finding a + (3 ^ 9/8 of Ref. [5|] was found in Ref. 

For this reason, the remark on Refs. [f| in Ref. [HQ 
is improper. 
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